Kaido Jarvemets - Logo

Azure Arc – Add servers from Azure Update Management

Introduction

Azure Arc offers various options for deploying the agent on your servers, whether they are virtual machines or physical servers. Before starting any Azure Arc project, it is crucial to discuss with the customer how to onboard the agent and set up the necessary processes. This task can be divided into two phases:

  • Initial agent deployment
  • New server provisioning process

This post shows how to install the agent through the Azure Automation Update Management feature.

Currently, there are several ways to deploy the agent:

  • Manually
  • a service principle for large-scale deployments
  • Azure Update Management for existing customers
  • Az.ConnectedMachine PowerShell module for custom installations
  • Desired State Configuration
  • Script feature in Configuration Manager
  • Group Policy
  • Windows Admin Center
  • Custom Task Sequence in Configuration for large-scale deployments

As you see from this list, you have plenty of agent deployment methods. Pick and choose the one that suits you the best.

Important!

As Azure transitions away from the Microsoft Monitoring Agent (MMA) in August 2024, it’s important for users of Azure Automation Update Management to shift to Azure Update Manager. This new platform not only replicates all capabilities of its predecessor but also introduces several enhancements. Azure Update Manager simplifies the user experience with zero on-boarding, eliminating dependencies on Log Analytics and Azure Automation. It fully integrates with Azure Policy, providing enhanced flexibility for patching options and scheduling updates.

The platform also introduces granular access control and operates based on Azure Resource Manager, offering refined operational control. Additionally, Azure Update Manager leverages a new Azure extension, streamlining the update assessment and application processes for both Azure VMs and Azure Arc-enabled servers. This extension automates the update process, from status retrieval to the initiation of updates, with all results analyzable via the Azure Resource Graph, ensuring a seamless and efficient update management experience.

What is Azure Automation Update Management?

Azure Update Management is a cloud-based service that manages and deploys updates for Windows and Linux computers. It helps reduce the time and effort needed to keep systems up-to-date with the latest security patches, hotfixes, service packs, and more. With Update Management, IT administrators can easily discover which servers need to be updated, create deployment plans for rolling out those updates orderly, review reports on patch compliance across their environment, and receive notifications when new updates become available. This provides a comprehensive solution for quickly and reliably keeping your systems secure while minimizing disruption to operations.

Update Management also integrates with Azure Log Analytics, storing all data in the same Workspace. This makes it easier for us to create Workbooks, Alerts, Automation etc.

There are many customers who are using Azure Update Management today, and based on my experience, it is the easiest way to roll out the Azure Arc-Enabled Servers agent.

From the above screenshot, you can see that we have one server connected with Azure Update Management.

If you are already an experienced administrator around Azure Update Management, you have noticed that Microsoft uses the Patch-MicrosoftOMSComputers runbook for patching.

Microsoft fully manages this runbook, and you don’t have any access to that. It is also a special and hidden runbook because it can run directly on your servers under the system runbook hybrid worker. If you create a custom PowerShell runbook for yourself, then you cant do the same. You can only run the runbooks using the Azure Automation Runbook Hybrid Workers that you have deployed and belong to the Runbook Worker groups.

Now with Azure Arc, Microsoft introduces another new master runbook called Add-AzureConnectedMachines. Microsoft fully manages this runbook and can also run on your servers directly.

Requirements

To deploy Azure Arc agent through Azure Update Management, you need the following:

  • Azure Log Analytics Workspace
  • Microsoft Monitoring Agent should be installed and configured on your servers
  • Azure Automation Account
  • Azure Update Management solution activated
  • Automation Job Operator role permissions
  • Permissions to create Service Principals
  • Permissions to manage Resource Group / Subscription permissions
  • Azure resource providers for Azure Arc enabled-servers
 

Before you continue, make sure to take some time and think through how many resource groups you want to create for Azure Arc servers. You can onboard all the servers into a single resource group or split them into multiple ones based on the administration model, location, services, etc. It is also fully supported in moving Azure Arc resources to other resource groups.

Resource Providers

Before you are going to onboard the servers on Azure Arc make sure to enable the following Azure resource providers on your subscription.

  • Microsoft.HybridCompute
  • Microsoft.GuestConfiguration
  • Microsoft.HybridConnectivity
  • Microsoft.AzureArcData (if you plan to Arc-enable SQL Servers)

Azure Private Link and Azure Arc

Azure Private Link offers a robust solution for securely connecting servers to Azure Arc, eliminating the need to use public networks. This method significantly enhances security by allowing private connections directly to Azure Arc, ensuring that data from Azure Arc-enabled machines or servers is accessed only through authorized private networks. By utilizing Azure Private Link, all traffic is kept within the Microsoft Azure backbone network, providing a secure and efficient way to manage your servers. This integration is particularly beneficial in maintaining the integrity and confidentiality of data while leveraging the full capabilities of Azure Arc​.

PS! This configuration requires that you have site-to-site VPN or express-route deployed.

Azure Arc agent deployment through Update Management

Rolling out the Azure Arc Connected Machine Agent using the Update Management goes through the following process:

  • Automatically creates Entra ID Service Principal. It uses this for authentication and onboarding. The main Azure Arc configuration panel shows all the service principals.

Using other agent deployment methods, you can create Service Principals through the UI, PowerShell, or Azure CLI. But in this case, everything will be taken care of for you.

  • Installs the Connected Machine Agent
  • Onboards the server to Azure Arc service

You can install the Azure Arc-enabled server agent on one or multiple virtual machines or physical servers that use Windows or Linux operating systems. These machines may be on-premises or in another cloud environment but must be managed through Azure Automation Update Management.

Follow the steps to deploy the agent through Update Management for the hybrid machines. These steps should not trigger any reboots. If you have many servers, you can phase them into multiple smaller groups.

  1. Open Azure Portal (portal.azure.com ) and search for Azure Arc
  2. On the Azure Arc panel, choose Add your infrastructure for free
  3. Select Servers
  4. On the Add servers with Azure Arc panel, select Add servers from Update Management
  5. On the Add servers from Update Management page, specify the following information:
    a. Subscription
    b. Resource Group
    c. Region
    d. SPN
    e. Connectivity Method
    • Public endpoint
    • Proxy Server
    • Private Endpoint
  6. On the Servers page, click +Add Servers and choose the servers you want to add
  7. On the Authentication page, choose Create a new service principal. If you select use the existing one, then you need to specify the Service Principal and enter the Client Secret.
  8. Specify the Tags
  9. Review the deployment information and click Add

These steps kick off the Add-AzureConnectedMachines runbook. If it is Windows server-based operating system, you see that it executes the child runbook called Add-AzureConnectedMachineWindows. If you also selected Linux servers, you see the Add-AzureConnectedMachineLinux runbook. Both of these runbooks will be executed under the system Hybrid Runbook Worker.

There are two different types of Runbook Workers:

  • User – Custom runbooks that you can execute through the Azure Automation Hybrid Runbook Workers. You can create your own Runbook Worker groups for different datacenters etc. For each Runbook Worker Group, you need at least one virtual machine. You can deploy this through the Azure Arc Extensions.
  • System – Fully managed and hidden runbooks by Microsoft. These can be executed directly on the servers.

References

Leave a Reply

Contact me

If you’re interested in learning about Azure Arc – Add servers from Azure Update Management. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents